You can configure the security protocols and cryptographic algorithms that are used to encrypt communications between clients and the Unified Access Gateway appliance from the admin configuration pages.
Prerequisites
- Review the Unified Access Gateway Deployment Properties. The following settings information is required:
- Static IP address for the Unified Access Gateway appliance
- IP Addresses of the DNS servers
Note: A maximum of two DNS server IP addresses can be specified.
Unified Access Gateway uses the platform default fallback public DNS addresses only when no DNS server addresses are provided to Unified Access Gateway either as part of the configuration settings or through DHCP.
- Password for the administration console
- URL of the server instance or load balancer that the Unified Access Gateway appliance points to
- Syslog server URL to save the event log files
Procedure
- In the admin UI Configure Manual section, click Select.
- In the Advanced Settings section, click the System Configuration gearbox icon.
- Edit the following Unified Access Gateway appliance configuration values.
Option Default Value and Description UAG Name Unique Unified Access Gateway appliance name. Note: The appliance name can consist of a text string up to 24 characters which includes alphabets (A-Z), digits (0-9), minus sign(-)
, and period(.)
. However, the appliance name cannot have spaces.Locale Specifies the locale to use when generating error messages.
- en_US for American English. This is the default.
- ja_JP for Japanese
- fr_FR for French
- de_DE for German
- zh_CN for Simplified Chinese
- zh_TW for Traditional Chinese
- ko_KR for Korean
- es for Spanish
- pt_BR for Brazilian Portuguese
- en_GB for British English
TLS Server Cipher Suites Enter a comma-separated, list of cipher suites, which are cryptographic algorithms used to encrypt inbound TLS connections to Unified Access Gateway This option is used with few other options such as TLS versions, named groups, signature schemes, and so on that are used in enabling various security protocols.
The TLS Server Cipher suites supported in FIPS mode are as follows:- Default enabled cipher suites:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- Cipher suites that are supported and can be manually configured:
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
The default TLS Server Cipher suites supported in non-FIPS mode are as follows:TLS_AES_128_GCM_SHA256
TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
This option can be configured during PowerShell deployment by adding the cipherSuites parameter in the ini file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
TLS Client Cipher Suites Enter a comma-separated, list of cipher suites, which are cryptographic algorithms used to encrypt outbound TLS connections to Unified Access Gateway This option is used with few other options such as TLS versions, named groups, signature schemes, and so on that are used in enabling various security protocols.
The following cipher suites are supported in FIPS mode:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
In the non-FIPS mode, by default, all cipher suites that are supported by the SSL library (Java/Open SSL) can be used.
This option can be configured during PowerShell deployment by adding the outboundCipherSuites parameter in the ini file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
SSL Provider Select the SSL Provider implementation used for handling TLS connections. To configure TLS Named Groups and TLS Signature Schemes, the value of this option must be
JDK
. By default, the value of this option isOPENSSL
.Note: When the value of this option isJDK
, OCSP-based certificate revocation check is not supported. However, CRL-based certificate revocation check is supported.Any changes to this option results in Unified Access Gateway services getting restarted. Ongoing Unified Access Gateway sessions are not retained during the restart.
This option can be configured during PowerShell deployment by adding the sslProvider parameter in the ini file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
TLS Named Groups Allows the administrator to configure the desired named groups (elliptic curves) from a list of supported named groups used for key exchange during SSL handshake. This option allows comma-separated values. Some of the supported named groups are as follows:
secp256r1, secp384r1, secp521r1
.To configure this option, ensure that the SSL Provider option is set to
JDK
. Else, the TLS Named Groups option is disabled. Any changes to this option results in Unified Access Gateway services getting restarted. Ongoing Unified Access Gateway sessions are not retained during the restart.This option can be configured during PowerShell deployment by adding the tlsNamedGroups parameter in the ini file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
TLS Signature Schemes Allows the administrator to configure the supported TLS signature algorithms used for key validation during SSL handshake. This option allows comma-separated values. For example: some of the supported signature schemes are as follows:
rsa_pkcs1_sha
,rsa_pkcs1_sha256
,rsa_pkcs1_sha384
,rsa_pss_rsae_sha256
, andrsa_pss_rsae_sha384
.To configure this option, ensure that the SSL Provider option is set to
JDK
. Else, the TLS Signature Schemes option is disabled. Any changes to this option results in Unified Access Gateway services getting restarted. Ongoing Unified Access Gateway sessions are not retained during the restart.This option can be configured during PowerShell deployment by adding the tlsSignatureSchemes parameter in the ini file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
Enable TLS 1.0 By default, this toggle is turned off. Turn on this toggle to enable TLS 1.0 security protocol.
Enable TLS 1.1 By default, this toggle is turned off. Turn on this toggle to enable TLS 1.1 security protocol.
Enable TLS 1.2 By default, this toggle is turned on. The TLS 1.2 security protocol is enabled.
Enable TLS 1.3 By default, this toggle is turned on. The TLS 1.3 security protocol is enabled.
Allowed Host Headers Enter the IP address or the host name as the host header values. This setting is applicable for the Unified Access Gateway deployment with Horizon and Web Reverse Proxy use cases. For Unified Access Gateway deployments with Horizon, you might be required to provide multiple host headers. This depends on whether N+1 Virtual IP (VIP) is used and the Blast Secure Gateway (BSG) and VMware Tunnel are enabled and configured to use port 443 externally.
The Horizon clients send the IP address in the host header for the blast connection request. If the BSG is configured to use port 443, then the allowed host headers must contain the external IP address of the BSG hostname configured in the blast external URL for the specific UAG.
If the host header values are not specified then any host header value sent by the client is accepted by default.
CA Certificate This option is enabled when a Syslog server is added. Select a valid Syslog Certificate Authority certificate. Health Check URL Enter a URL that the load balancer connects to and checks the health of Unified Access Gateway. HTTP Health Monitor By default, this toggle is turned off. The default configuration redirects HTTP health check URL requests to HTTPS. When you turn on this toggle, Unified Access Gateway responds to the health check request even on HTTP. Cookies to be Cached The set of cookies that Unified Access Gateway caches. The default is none. Session Timeout Default value is 36000000 milliseconds. Note: The value of Session Timeout on the Unified Access Gateway must be the same as the value of the Forcibly disconnect users setting on the Horizon Connection Server.The Forcibly disconnect users setting is one of the General Global Settings in the Horizon console. For more information about this setting, see Configuring Settings for Client Sessions in the VMware Horizon Administration documentation at VMware Docs.
Quiesce Mode Turn on this toggle to pause the Unified Access Gateway appliance to achieve a consistent state to perform maintenance tasks Monitor Interval Default value is 60. Password Age Number of days the password is valid for the user in the ADMIN role. The default value is
90
days. Maximum value that can be configured is999
days.For password to never expire, specify the value of this field as
0
.Monitoring Users Password Age Number of days the password is valid for the users in the MONITORING role. The default value is
90
days. The maximum value that can be configured is999
days.For the password to never expire, specify the value of this field as
0
.Request Timeout Indicates the maximum time Unified Access Gateway waits for a request to be received. The default value is
3000
.This timeout must be specified in milliseconds.
Body Receive Timeout Indicates the maximum time Unified Access Gateway waits for a request body to be received. The default is
5000
.This timeout must be specified in milliseconds.
Maximum Connections per Session Maximum number of TCP connections allowed per TLS session. The default value is
16
.For no limit on the allowed number of TCP connections, set the value of this field to
0
.Note: Field value of8
or lower causes errors in the Horizon Client .Client Connection Idle Timeout Specify the time (in seconds) a client connection can stay idle before the connection is closed. The default value is 360 seconds (6 minutes). A value of Zero indicates that there is no idle timeout. Authentication Timeout The maximum wait time in milliseconds before which authentication must happen. The default is 300000. If 0 is specified, it indicates no time limit for authentication.
Clock Skew Tolerance Enter the permitted time difference in seconds between an Unified Access Gateway clock and the other clocks on the same network. The default is 600 seconds. Max Allowed System CPU Indicates the maximum allowed average system CPU usage in one minute. When the configured CPU limit is exceeded, new sessions are not allowed and the client receives an HTTP 503 error to indicate that the Unified Access Gateway appliance is temporarily overloaded. Additionally, the exceeded limit also allows a load balancer to mark the Unified Access Gateway appliance down so that new requests can be directed to other Unified Access Gateway appliances.
Value is in percentage.
Default value is
100%
.Join CEIP If enabled, sends Customer Experience Improvement Program ("CEIP") information to VMware. See Join or Leave the Customer Experience Improvement Program for details. Enable SNMP Turn on this toggle to enable SNMP service. Simple Network Management Protocol collects system statistics, memory, disk space usage statistics, and Tunnel edge service MIB information by Unified Access Gateway. The list of available Management Information Base (MIB), - UCD-SNMP-MIB::systemStats
- UCD-SNMP-MIB::memory
- UCD-SNMP-MIB::dskTable
- VMWARE-TUNNEL-SERVER-MIB::vmwTunnelServerMIB
SNMP Version Select the desired SNMP version. Note: If you have deployed Unified Access Gateway through PowerShell, enabled SNMP, but not configured SNMPv3 settings either through PowerShell or the Unified Access Gateway Admin UI, then by default SNMPv1 and SNMPV2c versions are used.For configuring the SNMPv3 settings in the Admin UI, see Configure SNMPv3 Using the Unified Access Gateway Admin UI.
For configuring SNMPv3 settings through PowerShell deployment, certain SNMPv3 settings must be added to the INI file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
Admin Disclaimer Text Enter the disclaimer text based on your organization's user agreement policy. For an administrator to successfully log into the Unified Access Gateway Admin UI, the administrator must accept the agreement policy.
The disclaimer text can be configured either through PowerShell deployment or by using the Unified Access Gateway Admin UI. For more information about the PowerShell setting in the INI file, see Using PowerShell to Deploy the Unified Access Gateway Appliance.
While using the Unified Access Gateway Admin UI to configure this text box, the administrator must first log into the Admin UI and then configure the disclaimer text. On subsequent administrator logins, the text is displayed for the administrator to accept before accessing the login page.
DNS Enter Domain Name System addresses that are added to /run/systemd/resolve/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS address. DNS Search Enter Domain Name System search that is added to /run/systemd/resolve/resolv.conf configuration file. It must contain a valid DNS search address. Click '+' to add a new DNS search entry. Time Sync With Host Turn on this toggle to synchronize the time on the Unified Access Gateway appliance with the time of the ESXi host. By default, this toggle is turned off.
This option uses VMware Tools for time synchronization and is supported only when Unified Access Gateway is deployed on the ESXi host.
If you choose this option for time synchronization, then the NTP Servers and FallBack NTP Servers options are disabled.
This option can be configured through PowerShell by adding the hostClockSyncEnabled parameter in the INI file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
NTP Servers NTP servers for network time protocol synchronization. You can enter valid IP addresses and hostnames. Any per-interface NTP servers obtained from systemd-networkd.service configuration or through DHCP will take precedence over these configurations. Click '+' to add a new NTP server. If you choose this option for time synchronization, then the Time Sync With Host is disabled.
FallBack NTP Servers Fallback NTP servers for network time protocol synchronization. If NTP server information is not found, these fallback NTP server host names or IP addresses will be used. Click '+' to add a new fallback NTP server. If you choose this option for time synchronization, then the Time Sync With Host is disabled.
Extended Server Certificate Validation Turn on this toggle to ensure that Unified Access Gateway performs extended validation on the received SSL server certificate for outbound TLS connections to the backend servers. The extended checks include validating the expiry of the certificate, mismatch in the hostname, certificate revocation status, and extended key usage values.
By default, this option is disabled.
This option can be configured through PowerShell by adding the extendedServerCertValidationEnabled parameter in the ini file. See Using PowerShell to Deploy the Unified Access Gateway Appliance.
SSH Public Keys Upload public keys to enable root user access to Unified Access Gateway virtual machine when using the public-private key pair option. Administrators can upload multiple, unique public keys to Unified Access Gateway.
This field is visible on the Admin UI only when the following SSH options are set to
true
during deployment: Enable SSH and Allow SSH root login using key pair. For information about these options, see Deploy Unified Access Gateway Using the OVF Template Wizard. - Click Save.
What to do next
Configure the edge service settings for the components that Unified Access Gateway is deployed with. After the edge settings are configured, configure the authentication settings.